Identity Management

That section is providing help to manage the users, groups on the Active directory from the CCME Management Host.

Users management

Warning

You will need to have write access on the Active Directory (usually administrators or a user with special rights). In the following sections, the administrator username is CCME_AD_ADMIN_NAME.

Warning

distinguishedName has to be unique: a user name and a group name CANNOT be identical.

To create a user, follow these steps:

• Add a user

• Add a password to the user

The user account is only enabled when setting the password.

Note

Apply your modifications into the targeted AD using LDAP(S) commands.

To execute a ldif, fill the variables and execute ldapmodify on the Active directory, here is a simple way to do it:

ldif_file=$(mktemp)
cat >"${ldif_file}" <<EOF
### YOUR LDIF HERE ###
EOF

# In case of LDAPS, please uncomment the following line
# LDAPTLS_CACERT="${CCME_CONF}/${CCME_AD_URI}.crt" \
ldapmodify -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" -w "${CCME_AD_ADMIN_PASSWORD}" -D "${CCME_AD_ADMIN_CN}" -f "${ldif_file}"

Note

For more LDAP and adcli documentation, please refer to:

• openldap-clients

  • https://www.openldap.org/software/man.cgi?query=ldapadd

  • https://www.openldap.org/software/man.cgi?query=ldapdelete

  • https://www.openldap.org/software/man.cgi?query=ldapmodify

• adcli

  • https://www.freedesktop.org/software/realmd/adcli/adcli.html

Add a user

To create a new user with ldap, use the following code:

echo ${CCME_AD_ADMIN_PASSWORD} | adcli create-user -x -U "${CCME_AD_ADMIN_NAME}" --domain-controller="${CCME_AD_URI}" --display-name="${USER_NAME}" "${USER_NAME}"

To create a new user with ldaps, use the following steps:

• Create a new file (ldif_file)

• Copy the following ldif code and replace the variables with ${VARIABLE} format

• Execute the ldif with ldapmodify

  dn: CN=${USER_NAME},CN=Users,DC=${CCME_AD_DIR_NAME_DC1},DC=${CCME_AD_DIR_NAME_DC2}
  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: user
  cn: ${USER_NAME}
  displayName: ${USER_NAME}
  name: ${USER_NAME}
  sAMAccountName: ${USER_NAME}
  userPrincipalName: ${USER_NAME}@${CCME_AD_DIR_NAME}
  

• Execute the following line codes to create a new user based on your ldif_file

  LDAPTLS_CACERT="${CCME_CONF}/${CCME_AD_URI}.crt" \
  ldapadd -x \
    -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" -D "${CCME_AD_ADMIN_CN}" \
    -w "${CCME_AD_ADMIN_PASSWORD}" \
    -f "${ldif_file}"
  

Add/Update a user password

aws ds reset-user-password \
  --directory-id "${CCME_AD_ID}" \
  --user-name "${USER_NAME}" \
  --new-password "${USER_PASSWORD}" \
  --region "${AWS_REGION}"

Delete a user

To delete a user, use the following bash code:

# LDAP
echo ${CCME_AD_ADMIN_PASSWORD} | adcli delete-user -x -U "${CCME_AD_ADMIN_NAME}" --domain-controller="${CCME_AD_URI}" "${USER_NAME}"
# LDAPS
LDAPTLS_CACERT="${CCME_CONF}/${CCME_AD_URI}.crt" \
ldapdelete -x -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" \
  -D "${CCME_AD_ADMIN_CN}" \
  -w "${CCME_AD_ADMIN_PASSWORD}" \
  "CN=${USER_NAME},CN=Users,DC=${CCME_AD_DIR_NAME_DC1},DC=${CCME_AD_DIR_NAME_DC2}"

Groups management

Add a group

To add a group with ldap, use the following bash code:

echo ${CCME_AD_ADMIN_PASSWORD} | adcli create-group -x -U "${CCME_AD_ADMIN_NAME}" --domain-controller="${CCME_AD_URI}" "${GROUP_NAME}"

To add a new group with ldaps, use the following steps:

• Create a new file (ldif_file)

• Copy the following ldif code and replace the variables with ${VARIABLE} format

• Execute the ldif with ldapmodify

dn: CN=${GROUP_NAME},CN=Users,DC=${CCME_AD_DIR_NAME_DC1},DC=${CCME_AD_DIR_NAME_DC2}
objectClass: top
objectClass: group
cn: ${GROUP_NAME}
description: ${GROUP_NAME}
name: ${GROUP_NAME}
sAMAccountName: ${GROUP_NAME}
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=${CCME_AD_DIR_NAME_DC1},DC=${CCME_AD_DIR_NAME_DC2}
distinguishedName: CN=${GROUP_NAME},CN=Users,DC=${CCME_AD_DIR_NAME_DC1},DC=${CCME_AD_DIR_NAME_DC2}

Delete a group

To delete a group, use the following bash code:

# LDAP
echo ${CCME_AD_ADMIN_PASSWORD} | adcli delete-group -x -U "${CCME_AD_ADMIN_NAME}" --domain-controller="${CCME_AD_URI}" "${GROUP_NAME}"
# LDAPS
LDAPTLS_CACERT="${CCME_CONF}/${CCME_AD_URI}.crt" \
ldapdelete -x -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" \
  -D "${CCME_AD_ADMIN_CN}" \
  -w "${CCME_AD_ADMIN_PASSWORD}" \
  "CN=${GROUP_NAME},CN=Users,DC=${CCME_AD_DIR_NAME_DC1},DC=${CCME_AD_DIR_NAME_DC2}"

Add a user to a group

To add a user to a group with ldap, use the following bash code:

echo ${CCME_AD_ADMIN_PASSWORD} | adcli add-member -x -U "${CCME_AD_ADMIN_NAME}" --domain-controller="${CCME_AD_URI}" "${GROUP_NAME}" "${USER_NAME}"

To add a user to a group with ldaps, use the following steps:

• Create a new file (ldif_file)

• Copy the following ldif code and replace the variables with ${VARIABLE} format

• Execute the ldif with ldapmodify

dn: CN=${GROUP_NAME},CN=Users,DC=${CCME_AD_DIR_NAME_DC1},DC=${CCME_AD_DIR_NAME_DC2}
changetype: modify
add: member
member: ${USER_NAME}

Remove a user from a group

To remove a user from a group with ldap, use the following bash code:

echo ${CCME_AD_ADMIN_PASSWORD} | adcli remove-member -x -U "${CCME_AD_ADMIN_NAME}" --domain-controller="${CCME_AD_URI}" "${GROUP_NAME}" "${USER_NAME}"

To remove a user from a group with ldaps, use the following steps:

• Create a new file (ldif_file)

• Copy the following ldif code and replace the variables with ${VARIABLE} format

• Execute the ldif with ldapmodify

dn: CN=${GROUP_NAME},CN=Users,DC=${CCME_AD_DIR_NAME_DC1},DC=${CCME_AD_DIR_NAME_DC2}
delete: member
member: ${USER_NAME}